This week, Ars Technica and How-To Geek released some pretty startling news: a lot of browser extensions are either injecting ads into the sites you visit, or are tracking your entire browsing history—possibly without you knowing. Here's what's going on.

Update: There is now a Chrome extension called ExtShield that will notify you if you're using any other privacy-breaching extensions. Read more about it here.

Chrome: ExtShield is a new extension that will let you know if you're running one of the…
Read more Read more

As Ars notes, a lot of these extensions started as good, honest, independent extensions that were bought by adware companies. Then, through automatic updates, they added tracking features and/or ad injection and have been collecting data ever since. This is pretty easy, since they already required permissions that were so broad. They may have checkboxes in the settings that let you turn this behavior off, or they may have disclosures located on the extension's download page. But if you didn't read the fine print or downloaded the extension before it updated, you probably had no idea this was happening.

Dear Lifehacker, I'm a big fan of Google Chrome and I love using extensions. However,…
Read more Read more

From the How-To Geek's explainer:

Advertisement

Advertisement

These extensions are "allowed" to engage in this tracking behavior
because they "disclose" it on their description page, or at some point
in their options panel. For instance, the HoverZoom extension, which has a million users, says the following in their description page, at the very bottom:

"Hover Zoom uses anonymous usage statistics. This can
be disabled in the options page without losing any features as well. By
leaving this feature enabled, the user authorize the collection,
transfer and use of anonymous usage data, including but not limited to
transferring to third parties."

Where exactly in this description does it explain that they are going
to track every single page you visit and send the URL back to a third
party, which pays them for your data? In fact, they claim
everywhere that they are sponsored through affiliate links, completely
ignoring the fact that they are spying on you. Yeah, that's right, they
are also injecting ads all over the place. But which do you care more
about, an ad showing up on a page, or them taking your entire browsing
history and sending it back to somebody else?

This particular extension has had a long history of bad behavior,
going back quite some time. The developer has recently been caught collecting browsing data including form data… but he was also caught last year selling data on what you typed in
to another company. They've added a privacy policy now that explains in
further depth what is going on, but if you have to read a privacy
policy to figure out that you are being spied on, you've got another
problem.

To sum up, a million people are being spied on by this one extension alone. And that's just one of these extensions — there are a lot more doing the same thing.

The How-To Geek is putting together a solid list of extensions that practice this behavior, including many that we've featured on Lifehacker (before they became adware), including Hover Zoom, CrxMouse, Hola Unblocker,SmoothGestures, and tons of others. (Update: Hola Unblocker tested ads in December, but has since removed them). Google has already removed a few of the higher profile ones, but as long as their policies allow for this, it will continue to be a problem. Mozilla has a few extensions that fall into this category too, though it seems to be less of a prominent issue for Firefox users.

I'm the founder of Hola. In November we told our users we would test out various methods to…
Read more Read more

I highly recommend reading the full article over at How-To Geek. It has a lot more detail on what happened and how to investigate the extensions you have installed. In addition, you should check out their list and see if you're using any of the extensions on it.